Support for disabling basic auth / client cert

* [Added] `enable_basic_auth` variable. defaults to `false`<sup>1</sup>
* [Added] `basic_auth_username` variable. defaults to `""`
* [Added] `basic_auth_password` variable. defaults to `""`
* [Added] `issue_client_certificate` variable. defaults to
`true`<sup>2</sup>

Notes:

1. This will cause a plan change for existing users. Enabling it will
require them to set a username and password.

2. This is enabled by default, despite being a poor security practice
because changing this value is destructive to the cluster and we decided
to err on not trigger *destroy* plan changes to existing users.

Author: coryodaniel

cluster_regional.tf

@@ -35,6 +35,15 @@ resource "google_container_cluster" "primary" {
 
   master_authorized_networks_config = "${var.master_authorized_networks_config}"
 
+  master_auth {
+    username = "${local.cluster_basic_auth_username}"
+    password = "${local.cluster_basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

cluster_zonal.tf

@@ -35,6 +35,15 @@ resource "google_container_cluster" "zonal_primary" {
 
   master_authorized_networks_config = "${var.master_authorized_networks_config}"
 
+  master_auth {
+    username = "${local.cluster_basic_auth_username}"
+    password = "${local.cluster_basic_auth_password}"
+
+    client_certificate_config {
+      issue_client_certificate = "${var.issue_client_certificate}"
+    }
+  }
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"

main.tf

@@ -140,6 +140,9 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+
+  cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
+  cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
 }
 
 /******************************************

variables.tf

@@ -189,3 +189,23 @@ variable "monitoring_service" {
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
   default     = "monitoring.googleapis.com"
 }
+
+variable "enable_basic_auth" {
+  description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials. Default: true"
+  default = true
+}
+
+variable "basic_auth_username" {
+  description = "Kubernetes HTTP Basic auth username. Defaults to empty string. Only used if `enable_basic_auth` is true"
+  default = ""
+}
+
+variable "basic_auth_password" {
+  description = "Kubernetes HTTP Basic auth password. Defaults to empty string. Only used if `enable_basic_auth` is true"
+  default = ""
+}
+
+variable "issue_client_certificate" {
+  description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! Default: false"
+  default = false
+}